“Apple has released security updates for iPhone, iPod touch, and iPad to address flaws in both PDF handling and I/O – these flaws had been exploited recently to create a Web-based jailbreak for the company’s portable devices. iOS 4.0.2 is available via iTunes for the iPhone and iPod touch, and iOS 3.2.2 patches the flaw for iPad owners.”
It’s the first time I’ve ever been sad about a security patch.
It worries me that don’t bother to patch a year old flaw in OS X, but take just two weeks to close a hole in iOS. Apple’s priority is their bottom line, not their user’s security.
This is a good thing, not because it limits jailbreaking (which I think should be easy) but because you’ve got to wonder… if this exploit allowed something as drastic as jailbreaking, what else might it allow if you were to click on a phony jailbreak link or other maliciously crafted pdf document?
This just shows how incompetent Apple’s engineers are. Code execution through PDFs is not good, but at least it’s not an uncommon flaw. However, being able to run code as root (or having the device’s OS owned by the user account) is another utterly stupid flaw.
it used a second exploit that allowed it to escalate privileges. So the PDF rendering module is not entirely at fault here.
Ah, the perfect storm…
To quote a conspiracy theorist from another thread:
“Nah, a billionrary company with all the testers they have doesn’t make this kind of miss takes. They are prolly up to something.”
Maybe? No… just standard software development as usual: No software is bug-free.
Apple developers are just too lazy to update an open source library dependency (freetype library).
http://www.kb.cert.org/vuls/id/275247
Which just goes to show that even with more security than Windows is usually know for, it is possible to compromise other OS.
You just need to find the right security holes.